How NeuVector Can Protect Against the XZ Backdoor Attack CVE-2024-3094 in Kubernetes Environments

Security researcher Andres Freund reported to Debian that the xz/liblzma library had been backdoored. As a result, CVE-2024-3094 was published with a critical CVSS score of 10. This vulnerability stems from a supply chain compromise on versions 5.6.0 and 5.6.1 of XZ Utils. XZ Utils is data compression software included in major Linux distributions. The recommended action is to downgrade to an uncompromised XZ Utils version (earlier than 5.6.0).

Detecting CVE-2024-3094

NeuVector, the 100% open source, full-lifecycle container security solution from SUSE, is able to scan for and detect CVE-2024-3094 in its vulnerability scanner starting with CVE Database Version 3.395, created 03/31/2024. Scanning images, running containers and scanning the hosts on which they run are some of the actionable steps that can be taken to protect against this exploitation. Any detected vulnerabilities should be remediated immediately; some pipelines may take some time to redeploy a remediated image. 

Detecting and preventing exploits

NeuVector provides zero trust runtime security designed to detect and prevent zero-day attacks as well as exploits of unknown or unpatched vulnerabilities in Kubernetes and other containerized environments, as well as the hosts* on which they run. NeuVector run-time protections include:

• General zero trust network controls will not allow unauthorized inbound or outbound ssh connections. Should a compromise occur, these network controls will also help detect follow-on (i.e., ‘kill chain’) activities to expand the blast radius of the attack, such as probing for sensitive data.
• Zero trust egress controls are the most effective way to prevent command and control exploitations. Make sure aggressive egress controls are in place with Protect mode (blocking) enabled in NeuVector for any containers with external access or with this CVE detected. By default, allowing listed legitimate external connections will prevent unauthorized SSH connections. However, an added layer of protection could be implemented to block external SSH connections explicitly.
• Built-in suspicious process detection for process activity is typically not expected in running containers, such as sshd for inbound and ssh for outbound connections. Ensure that alerting is properly configured for when these suspicious activities are detected, and consider Protect mode for affected containers to block these processes.
• Additional protections should be considered in NeuVector:
  • Add an Admission Control rule to block any deployments of images with CVE-2024-3094.
  • Implement Protect mode for any containers with potential exposure to ensure:
    • No egress/external connections are in the “allowlist.”
    • External connections are explicitly allowed to specific DNS hostnames and IP addresses and for only required application protocol(s).
  • Enforce supply chain security by vetting and approving image sources and requiring signatures to be verified by admission controls before deploying.

*NeuVector scans hosts and nodes for vulnerabilities and detects suspicious processes. Network firewall protections apply only to container workloads.

The NeuVector container security platform software and its containers themselves are not vulnerable to this exploit. Customers using SUSE’s enterprise-supported container security, NeuVector Prime, can contact SUSE Support for additional questions or advice regarding protecting against this exploit.

Want to learn more?

SUSE addressed this vulnerability in a recent blog post and openSUSE announcement, indicating that SUSE Linux Enterprise and Leap are also unaffected by this backdoor.